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(54) Browser system 

(57) A Web browser (210) is configured to run in a 
middle compartment (206) of a compartmented mode 
workstation (CMW) (200). The operation of the Web 
browser (210) is prevented from accessing or damaging 
other compartments of the CMW machine (200) as a 
result of mandatory access control (MAC), which is con- 
figured appropriately. 

The Web browser (210) communicates with Web 
servers (252) attached to the internet (240), the Internet 
being connected to an outside compartment of the 
CMW machine (210), via a trusted outside process 
(TPO) (214). TPO (214) has the privileges required to 
override MAC. The Web browser (210) communicates 



with a display server (232), which is attached to an 
inside compartment (204) of the CMW machine (210), 
via a trusted inside process (TP!) (204). TP I also has 
privileges to override MAC. The Web browser (210) can 
request and receive Web pages incorporating mobile 
code, and can process the mobile code safely within the 
middle compartment (206). As a result of processing 
the mobile code, the Web browser (210) sends only X- 
messages to the display server (232), in order that the 
display server can render the images resulting from the. 
processed mobile code. 
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Description 

Technical Field 

[0001] The present invention relates in general to 
computerised systems for down-loading, or 'browsing', 
information stored in computer-readable form. More 
particularly, although not exclusively, the invention 
relates to a browser system for browsing information 
that contains mobile code retrievable from the World 
Wide Web. 

Background Art 

[0002] The World Wide Web (Web) may be thought of 
as a global village where computers (hosts) are the 
buildings, and the worldwide computer network known 
as the Internet forms the streets. The computers have 
addresses (IP Addresses) consisting of four numbers 
separated by periods. Many hosts also have nicknames 
known as domain names. A Web site typically consists 
of a UNIX or Microsoft Windows based Web server, 
which runs on a host and 'serves' software or content to 
other computers accessing the Web site. A Web site is 
not a single application, but a system that provides 
access to applications and data stored on the host, as 
well as inside an organisation. A user utilises a Web 
browser* running on a client computer to access the 
software or content on the Web server. 
[0003] Figure 1 illustrates a client computer 100 exe- 
cuting a Web browser program 105 that is employed by 
a user to communicate over the Internet 110, in a spe- 
cial language called HyperText Transfer Protocol 
(HTTP) 1 15, with a host computer 120 executing a Web 
server program 125 to obtain data. Hereafter, the term 
T Web browser' may be used interchangeably to describe 
a Web browser program or the program in execution on 
a computer, depending on the context. In the diagram, 
and in following diagrams, solid connection lines repre- 
sent physical connections between hardware and bro- 
ken connection lines represent logical connections 
between software processes. The most basic Web 
transaction involves the transmission of Web pages, 
written in HyperText Markup Language (HTML) from the 
Web server 125 to the Web browser 105. Upon request 
by the user at the Web browser 105, the Web server 
125 translates the HTML-based Web page into HTTP 
and sends it over the Internet 1 10 for display as a Web 
page on the requesting browser 105. The Web browser 
105 receives the HTTP-encoded Web page, translates 
the HTTP back into HTML and displays the page. 
[0004] The concept of 'mobile code' has been devel- 
oped to extend the functionality of the Web. Mobile code 
is typically code associated with a Web page which, 
when downloaded from a Web server, automatically 
executes within the environment of the requesting Web 
browser. In a simple form, mobile code can be used to 
enhance the graphical appearance of a Web page by, 



for example, implementing simple animation. It is envis- 
aged, however, that mobile code will be used to imple- 
ment many different and far more complex functions in 
future. A good example of one use for mobile code is to 
5 download transactional clients, which support special- 
ised user interfaces, to support data transfer between 
client and server applications. 

[0005] Commonly, mobile code is written in the Java 
programming language as a Java applet. Mobile code 

10 may also be written in other languages, such as defined 
in the ActiveX model. Both Java applets and ActiveX 
control functions can be embedded into a standard Web 
page. Therefore, the simple operation of downloading a 
Web page can also download and activate associated 

15 mobile code. 

[0006] While mobile code can greatly extend the func- 
tionality of the Web, the same extended functionality, by 
its nature, leads to serious security issues. 
[0007] Mobile code, and Web browsers that run 

20 mobile code, are developed according to rigid security 
guidelines which are intended to prevent the possibility 
that malicious users can use mobile code to cause 
harm to the computing environment surrounding a Web 
browser. However, there are already many documented 

25 flaws in the security measures, which can lead to devas- 
tating results. Typically, the party downloading 'rogue* 
mobile code would be unaware of the damaging effect 
thereof until it was too late. 

[0008] Some serious mobile code attacks known take 
30 advantage of bugs in the mobile code processing envi- 
ronment of the Web browser, which allow the mobile 
code to gain control over the operating system of the 
computing platform. From this position, the mobile code 
could cause damage such as deleting all files on the 
35 computer, or even launching attacks on other, net- 
worked computing platforms. 

[0009] Other serious mobile code attacks are known 
as social engineering' attacks. These attacks rely on 
tricking an unwary user by, for example, sending the 

40 user a 'patch' for the Web browser, and suggesting that 
the patch is to remedy a security flaw in the Web 
browser. The patch, instead of being one that remedies 
a security flaw, actually overwrites good code with code 
that creates a security flaw. There are many other ways 

45 of tricking unwary users in this way. 

[0010] Web browsers, which can run mobile code, 
such as Netscape Navigator™, typically include the 
option to 'disable' mobile code processing, thereby pre- 
venting the potential for any damage, even if mobile 

so code is downloaded. Of course, this radical measure, 
whilst being very effective, also removes any benefit 
which can be obtained from genuine, safe mobile code. 
[001 1 ] It would therefore be desirable to have a sys- 
tem in which mobile code can be executed safely, while 

55 at the same time not allowing rogue mobile code to 
cause any damage to any system. 
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Disclosure of the Invention 

[0012] In accordance with a first aspect, the present 
invention provides a secure browser system as claimed 
in claim 1 . s 
[001 3] The term browser is commonly associated with 
complex and sophisticated programs such as Netscape 
Navigator™ or Internet Explorer™. These programs 
are well known. However, herein, the term browser is 
used more broadly to include any program or system 
which, when running, is able to receive a requested 
resource, for example a Web page, from a source such 
as a Web server connected via a communications net- 
work to the browser. Further, a browser according to the 
present invention can even receive unsolicited 
resources as a result of, for example, some form of 
'push* technology, which distributes resources or mes- 
sages to registered subscribers. 

[0014] The invention has the advantage that mobile 
code is processed in a secure environment, so that the 
client, which is apart from the environment, remains rel- 
atively safe from attack. The client only receives data 
from the browser to visualise the output of the process- 
ing of the mobile code on the browser. The client is, 
therefore, in effect able to access mobile code, and see 
the result of the processing of the mobile code, without 
being subjected to any threat from rogue mobile code. 
[0015] In a preferred embodiment of the present 
invention, the browser system comprises a secure oper- 
ating system, for example one which enforces Manda- 
tory Access Control (MAC), such that mobile code and 
the browser are unable to damage the system running 
the browser, let alone the client. 

[001 6] While the invention, in general, aims to protect 
user systems from rogue mobile code, and from vulner- 
able browsers running rogue mobile code, embodi- 
ments which employ secure operating systems, such as 
those providing MAC, can be configured to also provide 
a high level of protection to the computer platform that 
supports the browser running the mobile code. Such 
systems consequently can provide even more protec- 
tion to users' systems, by greatly reducing the risk of 
mobile code reaching users' systems, or other parts of 
the network, by some other route. 
[001 7] Other aspects and features of the invention are 
described and claimed below. 

Brief Description of the Drawings 

[0018] A preferred embodiment of the present inven- 
tion will now be described, by way of example only, with 
reference to the accompanying drawings, of which: 

Figure 1 is a diagram illustrating a standard Web 
environment; 

Figure 2 is a diagram illustrating a CMW machine 
configured for operation in accordance with the 
present embodiment; 



Figure 3 is a diagram, which illustrates the 'domi- 
nates' relationships between compartments 
defined in the CMW machine of Figure 2; 
Figure 4 is a diagram, which illustrates the relation- 
ships, and protocols that exist between the proc- 
esses that operate for the purposes of the present 
embodiment; 

Figure 5 is a flow diagram which illustrates the 
steps required to initiate a CMW machine for oper- 
ation in accordance with the present embodiment; 
and 

Figure 6 is a flow diagram, which illustrates the 
steps involved for the purposes of the present 
embodiment when a client requests a Web page 
including mobile code. 

Best Mode For Carrying Out the Invention. & Industrial 
Applicability 

[001 9] According to the present embodiment, the Web 
browser operates on a computing platform within the 
environment of a secure operating system that enforces 
MAC. A particularly suitable secure operating system is 
the HP-UX 10.09.01 Compartmented Mode Worksta- 
tion (CMW) sold by Hewlett-Packard Company, which 
provides a MAC policy governing the way data may be 
accessed on a trusted system. 

[0020] The MAC policy is a computerised version of 
the US Department of Defence's long-standing multi- 
level security policy for handling classified information. 
The MAC policy uses labels that reflect information sen- 
sitivity, and maintains those labels for every process 
and file system object to prevent users not cleared for 
certain levels of classified information from accessing it. 
Under MAC, users and processes are also assigned 
clearances. A clearance defines the maximum sensitiv- 
ity label the user or process can access, which is neces- 
sary since some users and processes have privileges 
that allow them to switch between sensitivity labels. 
Using the MAC policy, the operating system controls 
access based on the relative sensitivity of the applica- 
tions running and the files they access. The HP-UX 
CMW operating system rates as a B1 grade secure 
operating system, according to the Orange Book 
[NCSC] criteria. In general B1 and higher-grade operat- 
ing systems apply some form of MAC. 
[0021] The HP-UX 10.09.01 CMW [DIA 91], is 
described in detail in the documents referenced at the 
end of this description, which are available from 
Hewlett-Packard Company. At the time of writing this 
description, HP-UX 10.09.01 CMW is the current ver- 
sion of the operating system. Future versions of the 
operating system, and the respective documentation, 
will, however, remain relevant to the present description 
and embodiment. 

[0022] Hereinafter, for convenience of description 
only, the term "CMW machine" is intended to mean a 
computing platform with an operating system having 
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additional, CMW security features, which are described 
below. A particularly suitable operating system is 
Hewlett-Packard Company's HP-UX CMW operating 
system. 

[0023] The following description describes in detail 
how to use Mandatory and Discretionary Access Con- 
trols, Sensitivity Labels, Trusted Processes and Privi- 
leges on a CMW machine to restrict the behaviour of 
mobile code and of a Web browser that downloads this 
code. A preferred arrangement is shown in Figure 2. 
[0024] Figure 2 illustrates a CMW machine 200 con- 
nected via an internal network 220 to a user machine 
230 running a display server 232, and via an external 
network to a Web server 252 machine 250 running a 
Web server 252. The internal network 220 is also shown 
connected to other apparatus, labelled w, x, y and z 
(labelled 222, 224, 226 and 228 respectively), which 
can be other user machines, servers or network appli- 
ances such as printers. The external network comprises 
a connection from the CMW machine 200 to the Internet 
240 (via appropriate switching and routing equipment, 
which is not shown). The user machine 230 can be, for 
example, a PC, a UNIX workstation or an X terminal. 
For the present purposes, the user machine 230, in 
whatever form, is running an X display server 232. The 
internal network 220 comprises an Ethernet, which sup- 
ports TCP/IP communications between the user 
machine 230 and the CMW machine 200. 
[0025] The CMW machine 200 is configured to have 
one classification: System (S) 202; and three compart- 
ments: Inside (I) 204, Middle (M) 206 and Outside (O) 
208. This generates eight sensitivity labels (the opera- 
tion of which will be described in detail below) of which 
only five are used in Figure 2: S, SI, SM, SO, SIMO 
(shown as 216). The three other possible sensitivity 
labels - SIO, SIM, and SMO - are unused in this embod- 
iment. The CMW machine 200 incorporates a Web 
browser 210, which is arranged to run in the SM com- 
partment. The Web browser 210 in this case is a Net- 
scape Navigator™ browser. A compartment is, in effect, 
a virtual machine within which processes and file 
objects associated with the virtual machine can operate 
or be operated on. 

[0026] The display server 232 is attached to the SI 
compartment of the CMW machine 200. and the exter- 
nal network is attached to the SO compartment of the 
CMW machine 200. Thus, data received from, or trans- 
mitted onto, the external network acquires the sensitiv- 
ity label of the SO compartment. Also, data sent to or 
received from the display server 232 acquires the sensi- 
tivity label of the SI compartment. 
[0027] As already mentioned, sensitivity labels are 
associated with every process and file system object, 
and are used as the primary basis for all MAC policy 
decisions. A sensitivity label represents the sensitivity of 
a process or a file system object and also the data each 
contains. If an application and the file it attempts to 
access have compatible sensitivity labels, the applica- 



tion can read, write, or possibly execute the file, and 
each new process typically inherits the sensitivity label 
of its parent. For example, if a program is executed 
within a shell (for example, sh(1), csh(1), or ksh(1)), the 

5 new process automatically inherits the sensitivity label 
of the shell process. New files always inherit the sensi- 
. tivlty label of the process that creates them. The system 
can provide special trusted programs that may be 
employed for changing the sensitivity label of a file alter 

ro it has been created. 

[0028] Sensitivity labels are prioritised for MAC in a 
way that determines how processes or objects having 
one sensitivity label can interact with processes or 
objects having different sensitivity labels. The prioritisa- 

15 tion is defined internally of the operating system. The 
diagram in Figure 3 represents the relationship between 
the parts of the system illustrated in Figure 2. 
[0029] In Figure 3, the arrows point from dominating 
sensitivity labels to dominated sensitivity labels. Thus, 

20 in Figure 3: SIMO dominates SI, SM and SO; SO domi- 
nates S; SM dominates S; and SI dominates S. ft should 
be noted that SO, SM and SI have no 'dominates' rela- 
tionships between them. Also, the labels SMO. SIO and 
SIM, which are not used in the present embodiment, are 

25 illustrated for completeness in boxes with dashed lines 
to indicate where they would appear. One further impor- 
tant aspect of the dominates relationships, which is not 
shown in the diagram, is that each sensitivity label dom- 
inates itself. 

30 [0030] Users are generally not permitted to down- 
grade (by reducing the respective sensitivity labels of) 
any files, processes or objects which they control, so 
that the new label is dominated by the previous label. 
Also, users are not permitted to cross grade them so 

35 that the new label is incomparable to the previous one. 
The system is also configured so that downgrading and 
cross grading are not enacted automatically by the acts 
of reading or writing. 

[0031 ] The effect of the MAC policy is to rigidly control 
40 information flow in the system, from process to file to 
process, to prevent accidental or intentional mislabelling 
of sensitive information. To achieve this, for every oper- 
ation, the system compares sensitivity labels to deter- 
mine if a user or process can access an object. Any time 
45 a user or process tries to read, write, or execute a file, 
the system examines the process and object sensitivity 
labels and consults its MAC rules. For each operation a 
process requests the system determines if the process 
has mandatory read or mandatory write access to the 
so object. Most restrictions that the MAC policy enforces 
can be summarised by the two following rules: 

(1) Mandatory read access: a process can read or 
execute a file, search a directory, or (subject to 
55 other privilege requirements) read the contents of 
other objects if the process's sensitivity label domi- 
nates the object's. All of these operations involve 
transferring data from the object to the process, so 
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having such access is referred to as "mandatory 
read" access. 

(2) Mandatory write access: a process can write to 
a file, remove or create an entry in a directory, or 
change any object's security attributes (including its 
sensitivity label), if the process's sensitivity label is 
the same as the object's. All of these actions involve 
transferring data from the process to the object, so 
having such access is called "mandatory write" 
access. 

[0032] The first rule prevents a user who is not cleared 
for classified information from seeing it. The second rule 
prevents a user with a high clearance from revealing 
information to other users with lower clearances. 
[0033] In effect. MAC in the CMW machine 200 
ensures that information can flow only in the opposite 
direction to the "dominates" relationship. Thus MAC 
allows the mobile code and Web browser 210 to read 
data only with a sensitivity label of "S" or "SM". The Web 
browser 210 and mobile code can write data only with a 
sensitivity label of "SM". Neither the Web browser 210, 
nor the mobile code, is able to gain direct access to 
either the inside network or the outside network, since 
these have sensitivity labels of "SI" and "SO". 
[0034] The CMW machine 200 does not impose the 
concept of an all-powerful "Super User" (e.g. "root") or 
Administrator. Instead, this power is divided up into a 
number of privileges. Assigning privileges to a program 
confers on it power to do particular actions. Programs 
with these privileges are known as trusted processes'. 
Trusted processes, TP I (trusted process - inside) 212 
and TPO (trusted process - outside) 214, shown in Fig- 
ure 2, have the privileges that allow them to ovemde the 
MAC. Thus the Web browser 210 and mobile code must 
use TP I 212 and TPO 214 to gain access to the internal 
and external networks. 

[0035] Trusted processes are typically very small pro- 
grams, which are carefully designed to carry out a sin- 
gle, specific process, such as passing specific data 
between compartments in a CMW machine. Trusted 
processes have privileges which enable them to over- 
ride MAC, but these privileges are only raised when 
required, and lowered thereafter, to minimise the 
chances of misuse by any other user or process. Also, a 
trusted process checks whether a user or other process 
has the right to access it, before allowing such access. 
[0036] TP I 212 is a trusted process that manages the 
interaction between the real Web browser 210 (and 
mobile code) running in the SM compartment, and the 
display server 232 running on the inside network. In 
some embodiments, the display server 232 could in fact 
be running in the SI compartment on the CMW machine 
200, but this would be less likely in a networked environ- 
ment. TPI 212 has the necessary privileges that enable 
it to override MAC and pass data between the SI and 
SM compartments. 

[0037] TPO 21 4 is a trusted process, which manages 



interaction between the real Web browser 210 (and 
mobile code) running in the SM compartment and the 
Internet 240, which is connected to the SO compart- 
ment. 

5 [0038] All messages from the Web browser 21 0 (and 
mobile code) to the external network are sent via TPO 
214. TPO 214 can be configured to block undesirable 
messages from the Web browser 21 0, such as attempts 
to communicate with prohibited external sites or 

10 attempts to download mobile code from certain sites. 
Additionally, TPO 214 can be configured to block mes- 
sages emanating from the downloaded code when it 
executes in the Web browser 210. TPO 214 can also be 
configured to filter incoming messages intended for the 

15 Web browser 210, in a similar fashion to a packet filter 
or firewall. The Web browser 210 runs in the SM com- 
partment without any privileges. The Web browser 210 
is configured to direct every network connection to TPO 
214 by making use of built-in SOCKS functionality. That 

20 is to say, the Web browser 210 must support SOCKS, 
as will be described below. 

[0039] The Web browser 210's executable file, the 
files, directories and the resources that are only read by 
the Web browser 210, such as the configuration files, 

25 are given the label S. The result is that the MAC protects 
these resources so that users, a broken browser or 
malicious mobile code cannot bypass the security 
administration by overwriting them with their own copies 
of these files. Other files that need to be both read and 

30 written to by the Web browser 210, such as a bookmark 
file, history files or a cache, are labelled as SM. 
[0040] All the users and hosts of the internal network 
220 are given the label SI and all the hosts of the Inter- 
net 240 are given the label SO. Since the Web browser 

35 210 has no privileges, it and all its child processes, such 
as those executing mobile code, can only run with the 
label SM. Therefore, the behaviour of the Web browser 
210 and mobile code is encapsulated in the SM com- 
partment. 

40 [0041] Thus, the CMW machine 200 configuration 
shown in Figure 2 ensures that the Web browser 210 
running in the SM compartment cannot interfere with 
other processes running with other sensitivity labels. 
This configuration can be generalised to an arbitrary 

45 number of middle compartments (Middle__1 

Middle_n). Each compartment can be used to isolate a 
Web browser 210 and any associated mobile code 
accessed by a user connected to the CMW machine 
200. If some controlled sharing of information between 

so the code in the Web browsers is required, multiple 
browsers can run in the same compartments, under dif- 
ferent user identifiers. The CMW machine 200 therefore 
acts as a Web browser 210 server to let multiple users 
on the inside network use Web browsers 210 and 

55 mobile code securely and conveniently. Each user has a 
personal copy of his or her Web browser 210 resources, 
such as a bookmark file, on the CMW machine 200, with 
these resources all having the same sensitivity label. 
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Conventional Discretionary Access Control (DAC), as 
found in general operating systems such as UNIX, can 
be used to specify which local files owned by one user 
the mobile code downloaded by another user can 
access. 

[0042] The implementation of the above architecture 
consists of the four components, three of which have 
been described above, namely: TPI 212, TPO 214 and 
the Web browser 210. These three components, and a 
fourth component, the trusted browser front end 
(TBFE), are illustrated in Figure 4. Figure 4 shows the 
relationship between these four components and the 
communication protocols in use between them. 
[0043] The diagram in Figure 4 shows that the TBFE 
is a parent process to TPI 212, TPO 214 and the Web 
browser 210. In other words, TPI 212, TPO 214 and the 
Web browser 210 are child process to the TBFE. Com- 
munications between TPI 212 and the Web browser 210 
comprise X-messages, communications between the 
Web browser 210 and TPO 21 4 comprise SOCKS mes- 
sages and the communications between TPI 212 and 
the display server 232 comprise X-messages. 
[0044] The following six privileges are defined within 
CMW and are used in accordance with the present 
embodiment to support the present system: 

Allowmacread: overrides MAC restrictions on read 
operations, allowing a process having this privilege 
to read an object's data and attributes regardless of 
the object's sensitivity label; 

Allowmacwrite: overrides MAC restrictions on write 
operations, allowing a process having this privilege 
to write an object's data and attributes regardless of 
the object's sensitivity label; 

Chsubjsl: (stands for change subject sensitivity 
label) allows a process having this privilege to 
change its own sensitivity label to any label domi- 
nated by the process's clearance; 

Configaudit: required by the ioctl(2) interface and 
used to configure the security audit system; 

Suspendaudit: if raised, the security audit system 
does not produce system call records on behalf of 
the processes. Most trusted processes raise this 
privilege because they produce their own audit 
records, making those automatically generated by 
system calls unnecessary; and 

Writeaudit: Required by the write(2) interface of the 
audit device to append records to the audit trail. 

[0045] TPI 212 comprises a proxy display server (in 
this embodiment, a proxy X-server [X Window]). The 
Web browser 210 in effect sends all X requests needed 
to render itself on a screen to TPI 212, rather than to a 



local display server. Subsequently, TPI 212 forwards the 
requests to the remote display server 232 running on 
the user machine 230. TPI 212 can also be configured 
to filter out undesirable or dangerous messages before 

5 forwarding them to the remote display server 232 on the 
internal network 220. For example, TPI 212 may be con- 
figured to connect only to a predefined set of hosts or 
clients, and only to the display servers on those hosts. 
The details of such a configuration are beyond the 

w scope of the present description, but are within the limits 
of ability of the skilled person. 

[0046] For operation in accordance with the present 
embodiment TPI 212 requires the Chsubjsl privilege to 
allow it to receive connections from both the SI and SM 

15 compartments. TPI 21 2 also requires the Allowmacread 
and Allowmacwrite privileges, so that it can pass data 
between the SM and SI compartments. TPI 212 also 
needs Configaudit, Suspendaudit and Writeaudit privi- 
leges to configure, manipulate and write audit records, 

20 as mentioned above. 

[0047] TPO 214 comprises a connection request 
proxy, which in the present embodiment is a modified 
SOCKS server that uses the SOCKS [SOCKS] protocol 
to communicate with the Web browser 210, and mobile 

25 code downloaded by the Web browser 210, in the SM 
compartment. SOCKS is a well known, freeware proxy 
server, used to relay TCP streams between a client and 
the Internet 240. It is known to configure and use 
SOCKS as a filter or firewall application. 

30 [0048] SOCKS is modified in TPO 214 in the present 
embodiment so that it can accept connections originat- 
ing from multiple sensitivity labels. That is, TPO 214 can 
accept connections from the SM compartment, as well 
as from the SO compartment. This is achieved, as with 

35 TP 1 21 2, using the Chsubjsl privilege. TPO 214 can also 
pass the data between compartments having different 
sensitivity labels using the Allowmacread and Allow- 
macwrite privileges subject to the security criteria set up 
by the system's security administrator. 

40 [0049] TPO 214 also needs Configaudit, Suspendau- 
dit, and Writeaudit to configure, manipulate and write 
audit records. 

[0050] The process for initialising a Web browser 21 0 
and its associated proxies will now be described with 

45 reference to the flow diagram in Figure 5. 

[0051 ] In step 500, a TBFE is started remotely by the 
user, who has an account on the CMW machine 200, 
which authorises the user to activate a Web browser 
210. The user can start TBFE by making use of remote 

so execution functions provided by UNIX, such as 'remsh' 
or Yexec'. To do this, the user would first have to be 
logged-on to the CMW machine 200. The server version 
of these functions can be rewritten to take the advan- 
tage of the CMW machine 200 to enhance security, but 

55 a description of how to achieve this is outside the scope 
of this text. A shell script to start the TBFE on the CMW 
machine 200 is installed on the user's machine. An 
alternative to a shell script would be to use Secure Shell 
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(SSH) to provide a secure login. Conveniently, SSH also 
encrypts the X-protocol messages, by using the SSH 
server (on the CMW machine 200 ) to pass the X -mes- 
sages to the SSH client (on the user's machine). The 
SSH client then forwards the X-messages to the X- 5 
server running on the user's machine. 
[0052] In step 510. when TBFE is started, it reads and 
parses its configuration file to check for semantic errors. 
An exemplary configuration f fle is reproduced below: 

# lines start with # are comments 
# 

# start tpi at system inside and let it taJk with system 
middle 

BEGIN_INIT{ 
location of the program 
PROGRAM: /home/proj 1/tpi 
#sensitivity label to start the program 
LEVEL: SYSTEM INSIDE 
#arguments passed to the program 
ARG: -1 "SYSTEM MIDDLE" -s zhong-q- 1 -n 1 
JENDJNIT 
# 

#start tpo at system outside 
BEGINJNIT{ 

PROGRAM: /home/proj 1/tpo 
LEVEL: SYSTEM OUTSIDE 
#arguments passed to program to define SOCKS 
options 
ARG: -d3-s 
JENDJNIT 
# 

#start netscape at system middle with the tpi as the 
x-server 
BEGIN_INIT{ 
PROGRAM: netscape 
LEVEL: SYSTEM MIDDLE 
#Netscape configuration argument 
ARG: -display localhost: 1 
JENDJNIT 
# 

[0053] Each process to be spawned by the TBFE has 
one entry in the TBFE configuration file. In the configu- 
ration file listed above, there are entries for TPI 212, 
TPO 214 and the Web browser 210. Each entry speci- 
fies the location of the program file in the CMW machine 
200*s file system, the sensitivity label to start the pro- 
gram and the parameters (argument vectors, or ARGs) 
which should be passed to the program. The parame- 
ters define the communication channels between the 
different processes, such as the TCP port number that 
the TPI 212 should listen to and the X-server that the 
Web browser 210 should direct the display message to. 
[0054] The TBFE configuration file includes an entry 
for TPI 212. The entry specifies the location of the TPI 
212 program, assigns to TPI 212 the label "SYSTEM 
INSIDE", and declares the following parameters: 



defines the sensitivity label "SYSTEM MIDDLE" for TPI 
212 to interact with; "s" defines the display server 232 
"zhong-q-1" to be used; and "-n" defines the proxy 
number "1" used for communications with the display 
server 232. In practice, display servers are allocated 
port numbers running from 6000. Thus, a proxy number 
of "1 " maps to a port number of 6001 . 
[0055] The configuration file also includes an entry for 
TPO 214. The entry specifies the location of the TPO 
214 program, assigns to TPO 214 the label "SYSTEM 
OUTSIDE", and declares the following parameters: "-d" 
defines the debug level as "3"; and "-s" sends all the 
debug information to be displayed on "stderr". 
[0056] Finally, the configuration file includes an entry 
for the Web browser 210. The entry specifies the loca- 
tion of the Web browser 210 program, assigns to the 
Web browser 210 the label "SYSTEM MIDDLE" and 
declares the parameter: "-display localhost: 1", which 
configures Netscape to send display messages to TPI 
212, on proxy server number 1 , instead of to the default 
X-server. 

[0057] After reading the configuration file successfully, 
in step 515 the TBFE processes the entries one by one. 
For each entry in the configuration file, in step 520, the 
TBFE raises the Chsubjsl privilege, which allows it to 
adopt the sensitivity label required for the respective 
child process in step 525. In step 530, the TBFE drops 
the Chsubjsl privilege, to prevent a spawned process 
from misusing it. Then, in step 535, TBFE spawns the 
respective child process. In effect, TBFE changes its 
own sensitivity label to the required sensitivity label of 
the child process that it is going to spawn in order that 
the child process inherits the correct sensitivity label, as 
specified in the configuration file. Next, the TBFE again 
raises the Chsubjsl privilege in step 540, reverts to its 
original sensitivity label in step 545 and, finally drops 
the Chsubjsl privilege in step 550. This process repeats, 
in step 555 for all three entries in the configuration file 
until both proxies and the Web browser 210 have been 
spawned. 

[0058] Finally, in step 560, the TBFE waits for one of 
the child processes that it spawned to terminate (this 
will usually be the Web browser 210 when the user has 
finished using it), and then, in step 565, sends exit sig- 
nals to the other child processes and itself exits in step 
570. Thus, TBFE acts as a single point-of-entry to the 
Web browser 210. Also, the TBFE will terminate the 
whole group of processes when any single member ter- 
minates for any reason. 

[0059] Other than the Chsubjsl privilege, TBFE also 
needs Conf igaudit, Suspendaudit and Writeaudit privi- 
leges to enable it to configure, manipulate and write 
audit records. Audit records may be used as a historical 
log of events, which can be analysed to trace any unu- 
sual activity, potentially resulting from rogue mobile 
code. Auditing is well known in computer system man- 
agement practice, and will not thus be described herein 
in any further detail. 
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[0060] When TPl 212 is started by the TBFE in the SI 
compartment, TPl 212 makes a system call which 
allows it to act as a multilevel server. To make the sys- 
tem call, TPl 212 requires the Chsubjsl privilege: TPl 
212 raises the Chsubjsl privilege, makes the system call 
and then lowers the Chsubjsl privilege again. Once act- 
ing as a multilevel server, TPl 212 can receive connec- 
tions on its allocated TCP port from the SM 
compartment as well as from the SI compartment. 
[0061] When the TPO 214 is started by the TBFE in 
the SO compartment, TPO 214 also makes a system 
call which allows it to act as a multilevel server. To make 
the system call, as for TPl 212, TPO 214 requires the 
Chsubjsl privilege: TPO 214 raises the Chsubjsl privi- 
lege, makes the system call and then lowers the Chsub- 
jsl privilege again. TPO 214 then waits for connections 
on its allocated TCP port: which is typically port 1080, 
the default SOCKS port. The same port number is also 
defined in the Web browser 21 0's options to be used by 
the Web browser 210 as the messaging proxy port 
number to which all Web requests are sent. 
[0062] Having started a Web browser 210 on the 
CMW machine 200, as described above, the user is 
presented with a standard Web browser 210 screen, 
which is rendered in an X-window of the X display 
server 232 on the user machine 230. The display server 
232 facilitates all keyboard or mouse interaction by the 
user with the window by sending events to the Web 
browser 210 on the CMW machine 200. The Web 
browser 210 responds with requests, which control the 
display server 232, tor example to update the X-window 
display. For ease of understanding only, both X events 
and X requests will be referred to as X-messages. Typi- 
cally, the initial display is that of the user's 'home page*. 
[0063]* The sequence of steps that occur when a user 
requests a Web page from a Web server 252 will now 
be described with reference to the flow diagram in Fig- 
ure 6. 

[0064] In step 600, the user submits a request for a 
specific Web page, or other resource. The request can 
be a result of the user selecting a hyperlink or typing in 
the respective URL (universal resource locator). The 
request is received by TPl 212 in step 605. In step 610, 
TPl 212 raises the Allowmacwrite privilege, to allow TPl 
212 to override the MAC'S read/write restrictions, in 
order to transfer the request from the display server 232 
(attached to the SI compartment) to the Web browser 
210 (in the SM compartment) in step 615. When the 
transfer is complete, in step 620, TPl 212 lowers the 
Allowmacwrite privilege again. 

[0065] In step 625, the Web browser 21 0 receives the 
request and attempts to initiate a connection with the 
appropriate remote Web server 252, which holds the 
required Web page. TPO 214 receives the connection 
request from the Web browser 210 in step 630 and 
raises the Allowmacread privilege, in step 635, in order 
to facilitate data transfer from the Web browser 210 (in 
the SM compartment) to the external network (attached 



to the SO compartment). Then, in step 640, TPO 214 
forwards the connection request to the external net- 
work. TPO 214 also acts to filter the request to block 
communications with prohibited external sites. Alter 

5 transmission is complete, in step 645, TPO 214 lowers 
the Allowmacread privilege again. 
[0066] The processes that occur once the request 
reaches the Internet are well known in the present art 
and will not therefore be described herein in detail. In 

w brief, however, in step 650, the Web server 252 receives 
the request and responds by returning the Web page 
and associated mobile code to the CMW machine 200. 
In practice, one Web page typically references, and is 
rendered from, multiple data sources (commonly con- 

75 taining data such as formatted text and graphics 
images), which are down-loaded onto a Web browser 
using multiple HTTP requests. In the present case, 
where the Web page includes mobile code, there will be 
a reference to at least one embedded process, for 

20 example a Java applet, which is down-loaded to the 
Web browser in the form of byte codes. 
[0067] In step 655, TPO 214 receives the stream of 
HTTP from the Web server 252. TPO 214 again filters 
the stream at this stage to block undesirable messages. 

25 Then, in step 660, TPO 214 raises the Allowmacwrite 
privilege and passes the HTTP stream from the SO 
compartment to the Web browser 210 in the SM com- 
partment in step 664. Then, in step 667, TPO 214 low- 
ers the Allowmacwrite privilege. 

30 [0068] The Web browser 210 receives the stream and 
interprets the content as a Web page with embedded 
mobile code, in step 670. The Web browser 210, which 
is configured to allow mobile code to execute, then 
loads the mobile code into memory and executes it in 

35 step 674. As a result of executing the mobile code, the 
Web browser 210 generates a graphical output, in step 
677, and requests a connection, in step 680, to pass the 
output X-messages to the display server 232. 
[0069] When the Web browser 210 requests a con- 

40 nection from the SM compartment, TPl 212 accepts the 
request, evaluates it and tries to make a connection to 
the remote display server 232 in step 685. The identity 
and location of the remote display server 232 that the 
user is using is passed to TPl 212 as a parameter in the 

45 configuration file, as described above. On successfully 
connecting to the display server 232, TPl 212 raises the 
Allowmacread and Allowmacwrite privileges in step 690 
and, having established a connection, pumps the mes- 
sages between the SM and the SI compartments in step 

so 695 to the display server 232. Optionally, some X-mes- 
sage filtering can also be performed here to prevent 
suspicious X-messages, potentially generated by the 
mobile code, from getting through. 
[0070] Then, TPl 212 lowers the Allowmacread and 

55 Allowmacwrite privileges in step 697 and, finally, in step 
699, the display server 232 receives the X-messages 
and renders the X-window appropriately 
[0071 ] The users of the internal network 220, who can 
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only connect to the SI compartment, cannot bypass the 
security administration by directly starting their own 
Web browser. This is because Web browsers started by 
internal users cannot gain access to the TPO 214, as a 
result of TPO 214 accepting connections only from the 
SM and SO compartments. Web browsers 210 started 
by internal users directly can therefore interact only with 
the internal network 220. 

[0072] It is emphasised that the embodiment 
described above defines only one specific way of work- 
ing the present invention, which conveniently takes 
advantage of HP's CMW operating system. Clearly, 
other CMW-compliant operating systems, such as SUN 
Microsystems' Trust Solaris operating system, could be 
readily configured to implement the invention. Indeed, 
embodiments of the invention could be implemented in 
any operating system, by configuring the operating sys- 
tem to provide appropriate functionality. The present 
invention should therefore be read broadly to encom- 
pass any system that applies the general teachings that 
are herein disclosed. 

[0073] It will be appreciated that the invention is par- 
ticularly suited to increasing security in scenarios where 
transactional clients are down-loaded as mobile code 
for interaction with other clients or servers in a client- 
server environment Such an environment can be one 
that complies with the CORBA (Common Object 
Request Broker Architecture) model. 
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Claims 

1 . A browser system, comprising: 

a browser process configured to receive from a 
remote data source a resource incorporating 
mobile code and to process the mobile code to 
generate graphical output data; and 
an inside interface process configured to pro- 
vide a communications channel between the 
browser process and a remote display system 
to facilitate transfer of the graphical output data 
to the remote display system. 

2. A browser system according to claim 1, comprising 
an operating system which associates processes or 
objects within the operating environment of the 
operating system with one of a number of sensitivity 
labels, wherein the browser process has a first sen- 
sitivity label and data associated with the remote 
display system has a second sensitivity label. 

3. A browser system according to either preceding 
daim, wherein the inside interface process has a 
first privilege which allows it to transfer data from 
the browser process to the remote display system. 

4. A browser system according to claim 3. wherein the 
inside interface process is configured to raise the 
first privilege when data transfer is required and 
lower the first privilege alter data transfer is com- 
pleted. 

5. A browser system according to any one of the pre- 
ceding claims, further comprising an outside inter- 
face process, which provides a communications 
channel between the browser process and the 
remote data source to facilitate transfer of data from 
the remote data source to the browser process. 

6. A browser system according to claim 5, wherein 
data associated with the remote data source has a 
third sensitivty label. 



55 7. A browser system according to claim 5 or claim 6, 
wherein the outside interface process has a second 
privilege which allows it to transfer data from the 
remote data source to the browser process. 
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8. A browser system according to claim 7, wherein the 
outside interface process is configured to raise the 
second privilege when data transfer is required and 
lower the second privilege alter data transfer is 
completed. 

9. A browser system according to claim 1 , wherein the 
inside interface process is configured as a multi- 
level process whereby it can receive connection 
requests having either the first sensitivity label or 
the second sensitivity label. 

10. A browser system according to claim 5, wherein the 
outside interface process is configured as a multi- 
level process whereby it can receive connection 
requests having either the second sensitivity label 
or the third sensitivity label. 

11. A browser system according to any one of the pre- 
ceding claims, wherein the operating system 
enforces Mandatory Access Control. 

12. A browser system configured for operation in an 
operating system enforcing mandatory access con- 
trol, the browser system comprising: 

a browser process having a first sensitivity 
label; 

an inside interface process having privileges 
that allow it to transfer data between the 
browser process and a display system, the 
operating system being configured to allocate 
data associated with the remote display system 
with a second sensitivity label; and 
an outside interface process having privileges 
that allow it to transfer data between the 
browser and a remote data source, the operat- 
ing system being configured to allocate data 
associated with the remote data source with a 
third sensitivity label, the browser process 
being configured to: 

receive via the outside interface process a 
resource including mobile code; 
process the mobile code to provide graphical 
output data; and 

send the graphical output data via the inside 
interface process to the display server. 

13. A browser system according to claim 11, wherein 
the browser process is further configured to receive 
a request, via the inside interface process, from the 
display server for a remote resource including 
mobile code and to transfer a respective request for 
the resource, via the outside interface process, to 
the remote data source. 

14. A method of securely accessing a resource includ- 
ing mobile code using a browser system configured 



for operation in an operating system enforcing man- 
datory access control, the method including a 
browser process having a first sensitivity label 
enacting the steps of: 

5 

receiving, via an outside interface process, a 
resource including mobile code from a remote 
data source, the operating system being con- 
figured to allocate data associated with the 

10 remote data source with a third sensitivity label 

and the outside interface process having privi- 
leges that allow it to transfer data between the 
browser and the remote data source; 
processing the mobile code to provide graphi- 

is cal output data; and 

sending the graphical output data via an inside 
interface process to a display server, the oper- 
ating system being configured to allocate data 
associated with the remote display system with 

20 a second sensitivity label and the inside inter- 

face process having privileges that allow it to 
transfer data between the browser process and 
the display system. 
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